Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Start signing Atlantis containers and providing signatures/SBOMs for new releases #5157

Open
1 task done
notdurson opened this issue Dec 12, 2024 · 0 comments · May be fixed by #5158
Open
1 task done

Start signing Atlantis containers and providing signatures/SBOMs for new releases #5157

notdurson opened this issue Dec 12, 2024 · 0 comments · May be fixed by #5158
Labels
feature New functionality/enhancement security

Comments

@notdurson
Copy link

notdurson commented Dec 12, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Describe the user story

As a security engineer, I want to ensure that the containers I deploy into my environment include high-quality software. That software includes dependencies of the app destined to run within a container. I'd also like to implement signature verification into my container import workflow so that I can attest to the provenance of my container ecosystem. Without assurance that the containers that I run are the same ones which were imported from upstream, I may find myself at risk in the future.

Describe the solution you'd like

I would like to implement the following:

  • New container release workflow which signs Atlantis images when they are built and provides the signatures to downstream users for verification.
  • SBOM generation workflow which produces a CycloneDX formatted bill of materials for each new image version.

Describe the drawbacks of your solution

Image attestation is hard. One needs to maintain a private key, which increases the level of trust placed in project maintainers. Project maintenance cost may be slightly increased given that the signature workflow will require additional Actions minutes.

Describe alternatives you've considered

We considered signing our own copy of Atlantis but signing containers without doing anything else is pointless. Part of the supply chain security manifesto, if you can call it that, involves attesting to the quality and safety of the software within an image - not just the provenance of the image. That doesn't just mean the software that the image is intended to run. It means that software, its dependencies, and those dependencies’ transient dependencies. Since we don't fork Atlantis we don't gain anything by signing a copy of it.
@notdurson notdurson added the feature New functionality/enhancement label Dec 12, 2024
@dosubot dosubot bot added the security label Dec 12, 2024
@notdurson notdurson linked a pull request Dec 12, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New functionality/enhancement security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add image attestation workflow step notdurson/atlantis
1 participant
@notdurson